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DETAILED ACTION 
Acknowledgements 

1. The following is a Final Office action in response to communications filed on 
1/21/2009. Claims 1 and 24 have been amended. 

Response to Applicant's Remarks 

2. In response to Applicant's argument that the amendment of claims 1 and 24 
obviate any perceived issue of statutory subject matter in the claims, Examiner 
respectfully disagrees. Whether a method appropriately includes particular machines to 
qualify as a section 101 process may not always be a straightforward inquiry. As 
Comiskey recognized, "the mere use of the machine to collect data necessary for 
application of the mental process may not make the claim patentable subject matter." In 
re Comiskey, 499 F.3d 1365, 1380 (Fed. Cir. 2007), (citing In re Grams, 888 F.2d 835, 
839-40 (Fed. Cir. 1989)). In other words, nominal or token recitations of structure in a 
method claim should not convert an otherwise ineligible claim into an eligible one. Ex 
parte Langemyr {BP A\ 2008-1495, 2008). 

3. Applicant's argument with respect to claims 8-10 and 21 has been fully 
considered and is persuasive. The rejection of claims 8-10 and 21 under 35 USC § 1 12 
has been withdrawn. 
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4. In response to Applicant's argument that Tschiegg does not teach determining 
loss before and after implementation of a recommendation, Examiner respectfully 
disagrees. Tschiegg discloses a system that can among other things, maintain risk 
assessment information, including loss prevention measures before the loss of an asset 
(paragraph 0005) and produces a recommendation regarding the asset. Additionally, 
paragraph 0019 of Tschiegg measures the loss of the asset after implementation of a 
recommendation to determine the impact of the loss of said asset. Therefore, Tschiegg 
does teach and suggest this limitation of claim 1 . 

5. In response to Applicant's argument that Tschiegg does not teach conducting for 
each of said zones a respective zone risk assessment, Examiner respectfully disagrees. 
The filter function in Tschiegg displays data fields containing risk information, the data 
being derived from the corresponding risk management information (paragraph 0057). 
The risk management information can be limited to particular zones, for example the 
risk management information in Tschiegg can be limited to a particular region or zone 
(paragraph 0069-0070). Therefore Tschiegg does teach and suggest this limitation of 
claim 1. 

6. In response to Applicant's argument that Heinrich does not teach assessing the 
risk level associated with an asset or assessing the risk level associated with said 
respective asset independent of the respective zone of said respective asset. Examiner 
respectfully disagrees. Heinrich discloses focusing on the protection of information 
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assets (paragraph 0002). Furthermore, Heinrich discloses that the purpose of a risl< 
assessment is to evaluate threats to assets, identify vulnerabilities, determine the 
relevant risk, and to develop countermeasures to mitigate the risk (paragraph 0015). In 
Heinrich, the asset involved in the risk assessment is a computer network system 
(paragraph 0049). Therefore, Heinrich does teach and suggest this limitation in claim 1 . 



Claim Rejections - 35 USC § 101 

7. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

8. Claims 1-14 and 24-26 are rejected under 35 U.S.C. 101 because the claimed 
invention is directed to non-statutory subject matter. 

9. In order for a method to be considered a "process" under §101, a claimed 
process must either: (1) be tied to another statutory class (such as a particular 
apparatus) or (2) transform underlying subject matter (such as an article or materials). 
Diamond v. Diehr, 450 U.S. 175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 
(1 978); Gottschalk v. Benson, 409 U.S. 63, 70 (1 972). If neither of these requirements 
Is met by the claim, the method is not a patent eligible process under §101 and is non- 
statutory subject matter. 



Application/Control Number: 10/550,617 Page 5 

Art Unit: 3624 

Claims 1 and 24 are directed towards a method for assessing risk within an 
organization. As the claims are not sufficiently tied to an apparatus, such as a 
computer, and/or do not transform the underlying subject matter (from your claim) to a 
different state, the claimed method is non-statutory and therefore rejected under 35 
U.S.C. 101. 

10. Claims 2-14 and 24-26 are rejected for being dependent upon rejected claim 1 . 

Examiner's Notes 

1 1 . The Examiner has pointed out particular references contained in the prior art of 
record within the body of this action for the convenience of the Applicant. Although the 
specified citations are representative of the teachings in the art and are applied to the 
specific limitations within the individual claim, other passages and figures may apply. 
Applicant, in preparing the response, should consider fully the entire reference as 
potentially teaching all or part of the claimed invention, as well as the context of the 
passage as taught by the prior art or disclosed by the Examiner. 

Claim Rejections - 35 USC § 103 

1 2. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the phor art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

13. Claims 1, 6, 8, 14, 19, 21 and 23-26 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Tschiegg et al (US 2003/0160818) in view of Heinrich (US 
2003/0046128). 

14. With respect to claims 1 and 16, Tschiegg teaches a computer-implemented 
method for assessing risk within an organization, comprising: 

a. defining one or more zones, each of said one and more zones comprising 
an environment (paragraph 0009, regarding location identifiers, earthquake 
zones and flood zones); 

b. identifying one or more assets of said organization, each of said assets 
being located in a respective one of said zones (paragraph 0009, regarding risk 
management information within the zones, which include company assets; Figure 
4. regarding the listed assets in the database); 

c. conducting a respective impact assessment for each of said assets, each 
assessment comprising assessing the impact of the loss of said respective asset 
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(paragraph 0019, regarding determining loss before and after implementation of 
recommendation); 

d. conducting for each of said zones a respective zone risk assessment, 
comprising (paragraph 0058-0069, regarding the filter function that allows for 
customized reporting about specific risk management segments); 

e. conducting for each asset a respective asset risk assessment (paragraph 
0009-0010, regarding risk management and reporting functions); and 

f. assessing risk on the basis of at least said impact assessment, said zone 
risk assessment and said asset risk assessments (paragraph 0009-0010, 
regarding risk management and reporting functions). 

Tschiegg does not explicitly teach assessing a risk level of the asset within a 
zone. However, Heinrich teaches 

g. assessing the risk level associated with an asset (paragraph 0036); and 

h. assessing the risk level associated with said respective asset independent 
of the respective zone of said respective asset (paragraph 0037). 
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It would have been obvious to one of ordinary skill in the art to include the 
business system of Tschlegg with the ability to assessing a risl< level of the asset as 
taught by Heinrich since the claimed invention is merely a combination of old elements, 
and in the combination each element merely would have performed the same function 
as it did separately, and one of ordinary skill in the art would have recognized that the 
results of the combination were predictable. 

15. As to claims 6 and 19, Tschlegg further teaches maintaining a register of said 
zones (paragraph 0009, regarding database of location and zone information). 

16. Regarding claims 8 and 21 , Heinrich further teaches wherein each of said assets 
is information related (0049, regarding risk assessment of a computer network system). 

17. Regarding claims 14 and 23, Heinrich further teaches including determining a 
measured risk for each asset, said measured risk for a respective asset comprising the 
product of 1) an impact level determined in said impact assessment and 2) the 
maximum of an asset risk determined in said asset risk assessment and an asset risk 
determined in said zone risk assessment (paragraph 0045-0048, regarding associating 
asset risk to risk levels and conducting a risk assessment). 
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18. With respect to claim 24, Tschiegg further teaches a risl< management method, 
comprising managing said risk (paragraph 0003, regarding managing risl<). 

19. As to claim 25, Heinrich further teaches wherein said managing of said risk 
comprises: 

i. determining the distribution of the number of assets as a function of 
associated measured risk (paragraph 0045, regarding assigning value to each 
risk to calculate an overall risk); 

j. determining a maximum acceptable risk level (paragraph 0048, regarding 
upper limit of the risk severity); and 

k. applying one or more controls if any of said assets exceeds said maximum 
acceptable risk level (paragraph 0168, regarding implementing changes to 
eliminate or downgrade risks). 

20. Regarding claim 26, Heinrich further teaches wherein said acceptable risk level 
comprises the lower of the highest available measured risk or 100% (paragraph 0058). 
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21. Claims 2-5, 7, 9-13, 15, 20, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Tschiegg et al (US 2003/0160818) and Heinrich (US 2003/0046128) 
in further view of Lovejoy et al (US 2002/0138416). 

22. Regarding claims 2 and 17, Tschiegg in view of Heinrich teaches a method as 
claimed in claim 1 . Tschiegg in view of Heinrich does not directly teach identifying asset 
custodians. However, Lovejoy teaches identifying one or more asset custodians, each 
comprising a custodian of a respective asset, and identifying one or more of said assets 
(paragraph 0056 and 0060, regarding the category of users that inventory the assets). 

It would have been obvious to one of ordinary skill in the art to include the 
business system of Tschiegg and Heinrich with the ability to identify asset custodians as 
taught by Lovejoy since the claimed invention is merely a combination of old elements, 
and in the combination each element merely would have performed the same function 
as it did separately, and one of ordinary skill in the art would have recognized that the 
results of the combination were predictable. 

23. As to claim 3, Lovejoy further teaches wherein each of said custodians is an 
employee with care-taking responsibilities (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets). 
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24. With respect to claim 4, Lovejoy further teaches including maintaining a register 
of said assets (paragraph 0055, regarding the inventory of assets stored in a database). 

25. Regarding claim 5, Lovejoy further teaches wherein said register includes a 

respective owner of each of said assets (paragraph 0056 and 0060, regarding the 
category of users that inventory the assets; also see page 20 of applicant's specification 
where custodians can also be owners). 

26. As to claims 7 and 20, Lovejoy further teaches the register of zones as taught by 
Tschiegg including a respective custodian of each of said zones (paragraph 0056 and 
0060, regarding the category of users that inventory the assets). 

27. With respect to claim 9, Tschiegg in view of Heinrich teaches a method as 
claimed in claim 2 wherein each of said assets is information related. Lovejoy further 
teaches where each of said asset custodians is an information custodian, each 
comprising a custodian of a respective information storage device within said 
organization (paragraph 0056 and 0060, regarding the category of users that inventory 
the assets). 

28. As to claim 10, Lovejoy defines custodians including users, risk assessor, 
security practitioner (physical and environmental custodian) and system administrators 
(MIS support custodian) (paragraph 0056). Lovejoy does not directly teach network 
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custodians or software engineering custodians. However, tine simple substitution of one 
l^nown element for another producing a predictable result renders the claim obvious. 
Therefore, it would have been obvious to one with ordinary skill in the art to add 
additional network custodians and software engineering custodians to the system in 
Lovejoy. 

29. Regarding claims 11 and 12, whether the zone assessment is conducted by the 
respective custodian or owner of said respective zone is representative of descriptive 
material that does not modify the functionality of the underlying method to distinguish 
the claimed invention from the prior art. In re Gulack, 703 F.2d 1381, 1385, 217 USPQ 
401, 404 (Fed. Cir. 1983). Therefore, it would have been obvious to one with ordinary 
skill in the art to have the custodian or owner of the asset conduct the zone 
assessment. 

30. As to claims 13 and 22, Lovejoy further teaches regarding the loss of an asset as 
equivalent to the loss of a system of which said asset is a part (paragraph 0063, 
compromised assets causing a loss to the organization). 

31. With respect to claim 15, Lovejoy further teaches wherein none of said 
custodians is an owner (paragraph 0056 and 0060, regarding the category of users that 
inventory the assets). 
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Conclusion 

32. THIS ACTION IS MADE FINAL. Applicant is reminded of tine extension of time 
policy as set forth in 37 CFR 1 .136(a). 

33. A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

34. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to BRAND! P. PARKER whose telephone number is (571) 

272- 9796. The examiner can normally be reached on Mon-Thurs. 8-5pm. 

35. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Bradley B. Bayat can be reached on (571) 272-6704. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 
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36. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/BRANDI P PARKER/ 
Examiner, Art Unit 3624 

/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3624 



